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Details: OX/ AS) The purpose of this communication is to provide 
a summary of findings for all computer intrusion analysis conducted 
in support of captioned investigation. The analysis related to each 
of the events described below has been serialized in igreater detail 
in MIDYEAR EXAM, Cyber sub-file. 


(U//FO08) This communication is split into two parts: 
general cyber analysis conducted over the course of the 


“investigation; and cyber-related events that warranted further 


analysis, each of which is summarized individually, 


(U) GENERAL CYBER INTRUSION ANALYSIS 


(u//#e¥0) INTRUSION ANALYSIS OF E-MAIL SERVERS AND DEVICES 


(U//P686} FBI Operational Technology Division's 
Investigative Analysis Unit (IAU) conducted forensic analysis of 
images of the BRYAN PAGLIANO server® and the PLATTE RIVER NETWORK 


(PRN) server, to include media from DATTO backups and supplemental 
PRN files 


bb 
b7Cc 
bIE 


* (U//FERO) The oldest Windows Security Event logs available to the FBI from the PAGLIANO Server were from bil 
June 2013. As such, analysis of login data for accounts hosted on the server—to include CLINTON’s—was limited. b3 
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(U// For IAU’s_complete report and details of the 
event related to see[ Fever, serials 17 and b3 


37, respectively. bé 


bIC 
bIE 
(U//FO88) ANALYSIS OF DEVICES USED TO CULL CLINTON’S WORK: E-MAILS 
b3 
b7E 
(U) SIGNATURE DEVELOPMENT 
a) ASE) In support of captioned investigation, 
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through computer intrusion methods bIE 
furnished 
Tot : 7 7 - bl 
Division. The Executive Office of the President and DoS’s Info b3 
rch the requested fields DIE 
—— 
bTE 
(U//FOUG) For more detailed information related to efforts 
concernin see b3 
CYBER, serial 9. BIE 
(U) IP ADDRESS ANALYSIS 
(3//8E}+ In_support of captioned investigation, writers 
b7E 


Th Dee) Research and analysis focused heavily on the 
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remainingL___JIP addresses, which resolved to USG entities: the 


Executive Office of the President (FOP), U.S. Department of State, 
and U.S. Senate. Findings onL__Jof the IP addresses are detailed 


at length in MIDYEAR EXAM, Cyber sub-file, serial 19. Of note 
however, are the results found for IP address SSS 


(U) E-MAIL ADDRESS ANALYSIS 


ee Queries on [__Je-mai1 addresses associated with 
individuals CLINTON regular i i j j 


Other results 
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highlighted attempts by criminal actors to log in to an ICLOUD account 


b3 
for HDR22@CLINTONEMAIL.COM, which was used by CLINTON. Details about bIE 
the various spear-phishing attempts and the illegitimate ICLOUD 

login attempts can be found in[___——_ CYBER, serials 7 and 

15. 

O/B) A review of approximately[( Je-mail addresses bl 
found in confirmed classified e-mail exchanges CLINTON was a part b3 
of was also conducted. The accounts were bIE 

rd 
/ 
(U//Fe86) Complete details about the review of theL__] b3 


accounts can be found inf si CYBER, serial 8. BIE 


(U) DOMAIN NAME ANALYSIS 
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({U) DEVICE IDENTIFIERS ANALYSIS 


by FBI database checks were conducted on 


approximatel electronic device identifiers ranging from bl 
b3 


BIE 


and serial IDs associated with handheld devices associated with 
CLINTON. The unique values were queried and 


additional research was conducted _on| 
their associated case files are 
Sentinel. 


(U//F688) Full details of the device queries conducted can 3 
be found in-_—C CYBER, serial 25. bIE 


(U//FO8S} CLINTON ACCOUNT LOGINS TO THE PAGLIANO SERVER 


(U//FO8Q) Logins for CLINTON’s e-mail accounts spanning 
from 04/18/2009 to 06/30/2013 were analyzed to determine when CLINTON 
may have begun using the PAGLIANO Server; possible suspicious login 
activity while her account was hosted on the PAGLIANO Server; and 
whether logins were conducted from high-threat countries CLINTON 
traveled to during her tenure as U.S. Secretary of State. 


(U//B6H6) Analysis was unable to determine the exact date 
of when HDR22@CLINTONEMAIL.COM was first hosted on the PAGLIANO 
Server, However, available IIS log data revealed_logins between 
04/18/2009 and 06/30/2013 were conducted fron dinius b7E 
to 


addresses, of which resolved to the United States an 
foreign countries. 


(U//Pe8e) The majority of US-based IP addresses resolved 
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to public ISPs, and[_|to USG entities-[__ ] to DoS and L_]te the bIE 
U.S. Air Force (USAF). Use of the[___]use IP addresses stood out, 
as CLINTON is known to not have had a computer terminal while at DoS, 
and repeated logins in 2011 and 2012 from IP addresses resolving to 
seemed unusual. 


(U//FOHS) Statements provided to the FBI throughout the 
course of captioned investigation noted a limited number of 
individuals had authorized access to CLINTON’s e-mail account, 
leading to the conclusion that logins conducted from DoS IP addresses 
were likely carried out by CLINTON’s aides. 


(U//P@8Q) Regarding logins originating from the[__]usar DIE 
IP addresses, it is unclear why CLINTON’s account would have 
connected to the PAGLIANO Server using USAF infrastructure. A 
possible explanation, however, is that CLINTON’s iPad devices 
perhaps connected to the wireless network aboard the C-32 airplane 
she traveled on when on official business, which was a USAF-operated 
aircraft. This is a likely explanation, as the dates of activity 
reflected on the IIS logs correlated with CLINTON’ s official overseas 
travel schedule, as published by DoS. 


(U//Pe8e) Logins conducted from overseas locations also 
correlated with CLINTON’s official travel schedule, except for 


logins from Analysis of bIE 
the related -and knowing that CLINTON aides had 
authorized access to her e-mail account—-make it likely that logins 

from were carried out by CLINTON staff members, 

though this could not be confirmed. 

(U//PO86) Additional details related to login analysis b3 

conducted for CLINTON’s accounts can be found in BIE 
[_cvsir, serial 38. 

(U//Fev0) ANALYSIS OF SECNAP ALERTS 6[ __| EVENTS TE 


(U//Peue) In the months following CLINTON’s departure from 
DoS, her personal e-mail server’s content was migrated to a server 
administered by PLATTE RIVER NETWORKS (PRN), who contracted with 
SECNAP NETWORK SECURITY CORPORATIONS to set up an intrusion detection 
and intrusion prevention (IDS/IPS) solution called CLOUDJACKET. The 
IDS/IPS sent alert e-mails when potentially malicious activity was 
directed at the server administered by PRN. Analysis of the e-mail 


messages between July 2013 and October 2015 found that b7E 
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bE 
(U//PEU®} Analysis of activity captured by_one of the 
firewalls installed _on the PRN Server revealed that bIE 
| __—s[Further inspection of the events found that; _———_—sdz| 
(U//FOUG) Additional details related to the analysis 
conducted above can be found in 2 b3 
serials 27 and 30. bIE 


(U) ANALYSIS OF SPECIFIC CYBER-RELATED EVENTS 
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obtained for the aforementioned 
account identified JACOB SULLIVAN (SULLIVAN), C 


D: s the subscriber 


/SEL For more detailed_information related to 
in SULLIVAN’s account compromise, see -CYBER, serial 3. 
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Lo account compromise, see [__—Cs~=é CvjigR, serial 4. 


(U//Fe8O) COMPROMISE OF SIDNEY BLUMENTHAL’ S PERSONAL E-MAIL ACCOUNT 
(2013) 


(U/APO8S) On or about 03/14/2013, SIDNEY BLUMENTHAL’ s 
(BLUMENTHAL) personal American Online (AOL) account was compromised 
by MARCEL LEHEL LAZAR (LAZAR), aka GUCCIFER, a Romanian hacker. 
BLUMENTHAL, a former political aide to President WILLIAM J. CLINTON 
and unofficial advisor to CLINTON during her tenure as U.S. Secretary 
of State, authored and sent CLINTON numerous e-mails and memorandums 
covering a wide range of foreign policy and intellig matters. 
Over the course of CLINTON’s tenure, BLUMENTHAL sent e-mails, 
Ll: which contained information” deemed classified after 
classification review. 


(U//F686) Following BLUMENTHAL’s account compromise, 
LAZAR distributed a screenshot listing the filename of 19 unique 
memos pilfered from the victim’s account to 31 news media outlets 
some of them foreign. Review of the filenames revealed 


It is unknown if--in addition to the screenshot mentioned 


» (U/FOO}Classification review of ot ee authored and sent by BLUMENTHAL determined nemos are 
currently classified GONFIBENFHAE an: dq _klassified SECREF- 
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above—-LAZAR also distributed soft copies of the memos to reporters. 


(U//FOBE) ALLEGED COMPROMISE OF CLINTON’S E-MAIL SERVER 


(U//FOUS) Shortly after being extradited to the United 
States on 03/31/2016 to face criminal charges, LAZAR revealed to FOX 
NEWS that he had compromised CLINTON’s personal e-mail server. bIE 
analysis of the approximate dates of when LAZAR claimed he hacked 
the CLINTON server did not reveal direct evidence of a compromise, 
thoughL____] foreign IP addresses* were captured in IIS logs’ in the 
week following BLUMENTHAL’s account compromise. There was 
insufficient data to determine whether LAZAR may have been behind 
the activity associated with the LC ]re addresses in question, or 
whether the activity may have been conducted by individuals with whom 
LAZAR shared the BLUMENTHAL memos. When interviewed by the FBI on 
05/26/2016, LAZAR stated he lied to FOX NEWS about hacking in to 
CLINTON’s server. 


(U//FO8G) For complete details related to BLUMENTHAL’ s 
account compromise; memos he sent to CLINTON; LAZAR’s claims to FOX b3 
NEWS; and follow-up analysis conducted by writers, see bIE 

CYBER, serials 6, 29, 31, 32, 35, and 39. 


(U//FOUO) ATTEMPTED COMPROMISE OF ICLOUD ACCOUNT (2015) 


(U//FOBS) Analysis was conducted onL___togin attempts to bTE 
the APPLE ICLOUD accoun i dowith the e-mail address 
HDR22@CLINTONEMAIL.COM. revealed the 


activity occurred between 03/03/2015 and_12/13/2015, with 
actenets made 
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(U//FO¥Q) Logical investigative follow-up was conducted 
on each of the above IP addresses, with certain results worth 
highlighting in. this document. 


(u//Fe8e) [_ 


(u// 


The subscriber of IP addresses 
was determined to be to 
company located in 
A total of| login attempts were conducted. from 
from 03/03/2015 to 03/06/2015, all during normal 


IP addresses 
business 


U//EORS: Chief Executive 
Officer of confirmed aforementioned IP 
a 


ddresses were assigned to the_company as of late March 2016, and 
have belonged col Jin the past. IP address 


icated to the company’s 
described as 


utilized that IP address to 


conduct 


w/feous aces not maintain historical logs for 
searches that are conducted by their clients. 
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(U//Pese) At this time, no additional information has been 
identified to explain the login attempts to the bTE 
HDR22@CLINTONEMAIL.COM ICLOUD account. Of significance is that the 

login attempts began on 03/03/2015, which occurred a day 
after THE NEW YORK TIMES’ (NYT) release of an article noting CLINTON’s 
use of a personal e-mail system for official business. 


(U//Fe8e) Full details of L___ interview can be found BS 


in [oT Cdevae, serial 16. bs 


b7c 
b7E 
(o//eeee) [TT 
(U//BO86) Another significant finding related to login 
attempts to the ICLOUD account associated with 
HDR22@CLINTONEMAIL.COM involved statements made ed | 
i investigation 
admitted that he attempted to access many — 


celebrities’ ICLOUD acc ncluding the one associated with bre 
HDR22@CLINTONEMAIL. COM. ided that his activities were PTE 
primarily conducted from and he denied 


gaining access to the account of interest. As he recalled, during 


his attempts to access the account he was[_—SS™ 
[~~~ ]waich led] to assess the account was an 


older one and likely had little information of value in it. 


(U//E6868) Investigation in this matter determined that 

likely was responsible for Co Jiogen attempts 
to the HDR22@CLINTONEMAIL.COM ICLOUD account, Those attempts 
originated from 


in to ICLOUD accounts from 
was identified in the San 
investigation as bei 
Lastly, given that dmitted to conducting 


unauthorized login attempts to ICLOUD accounts—_—S—s—C—CCC—CCCOT 
[iduere obtained. Review of these led witers 
af bl 
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to assess that possibly was responsible for the login 


No additional evidence, 


however, was identified to corroborate 


(U//F@80) Full details of failed APPLE ICLOUD attempts can a 


be found inl —S—S—S=*@i CYBER, serial 7. 


(U//Pe8@) ATTEMPTED LOGINS TO EXCHANGE SERVER AND DOMAIN CONTROLLER 
(2015) 


(U//BPeve) This investigation determined that on 
03/02/2015 the NYT published an article documenting CLINTON’s use 
of a private e-mail server? and her personal e-mail address of 
HDR22@CLINTONEMAIL.COM. The public release of that information led 
to an increase in firewall activity and failed login attempts to the 
Microsoft Exchange server and domain controller associated with the 


domain. 


(U) IIS LOG ANALYSIS BIE 


(U//PO8G) Analysis of the IIS logs subsequent to 
03/02/2015 was conducted and a review of the most frequent user 
accounts that did not successfully authenticate to the Exchange 
server was conducted. The user accounts 


were most frequently used for failed login 

attempts. This activity was expected, as the targeting of known or 
suspected user accounts is consistent with that of malicious cyber 
actors. 


(U//Peue) Failed login attempts with usernames, including 
the[_Jhandle, could be attributed to attackers who gleaned the 
account information from the NYT article. However, the failed login 
attempts during this timeframe could also be attributed to that of 
a legitimate user who accidentally entered an invalid password, More 
indicative of potential cyber attackers, nonetheless, are the failed 
login attempts that occurred. with the usernames of 


b7E 


j (U//EQUOT For most of CLINTON’s tenure as U.S. Secretary of State, her e-mail traffic was hosted on a private 
e-mail server administered by BRYAN PAGLIANO, content of which was migrated to a new server administered by 


PLATTE RIVER NETWORKS beginning the summer of 2013. 
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(U) DOMAIN CONTROLLER FIREWALL LOGS 


{U//FO8O) Firewall logs obtained from the domain 
controller associated with CLINTONEMAIL.COM were reviewed. The 
review ‘identified that subsequent to 03/02/2015, several 
unauthorized access attempts from US-based and foreign IP addresses 
were captured by the firewall, specifically between 03/03/2015 and 
03/05/2015. The domain controller captured unauthorized login 
attempts using several invalid login names. Given the publicity of 
the CLINTONEMAIL.COM domain, this type of behavior on the domain 
controller was expected. 


(U/ SPORE} bTE 


(U//FO8S) For more detailed information related to failed b3 
i to the Exchange server and domain controller, see bIE 
CYBER, serials 24 and 28. 
(u//reve)[__————=SdiP: ADDRESS ANALYSIS (2015) 


Qa//NP) Investigative activity, ted 
EXAM reveated[ 7" addresses used by b6 
an administrator of the PRN Server, to log in to neon 
under his control between March and August 2015 
bl 
Noe 
‘nic 
bTE 
* (U/FeHe used the IP address to log in remotely to the PRN Server to administer the network and 
e-mail server. 
—GHEREE//ORCON/NOPORN »? 
Ni | b3 
. i b7E 


HRC-8967 


bl 
@ @ bs 
(Rev. 05-01-2008) 


cxeneryvoneomvoromt Ly 


A 
FEDERAL BUREAU OF INVESTIGATION 


concernin 


//Pe88) Full details_about the suspicious activit byE 
IP addres / 
an be found in , ? 


oe 


bl 
*« b3 
: yk 
7 bIE 


HRC-8969 


